Automated Voting System
CVE-2025-11667
LOW
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability was found in code-projects Automated Voting System 1.0. Affected by this vulnerability is an unknown functionality of the file /admin/add_candidate_modal.php.. The manipulation of the argument firstname results in sql injection. The attack can be executed remotely. The exploit has been made public and could be used.
AnalysisAI
SQL injection in Automated Voting System 1.0 allows authenticated remote attackers to manipulate the firstname parameter in /admin/add_candidate_modal.php, resulting in limited confidentiality, integrity, and availability impact. The vulnerability has a very low CVSS score (2.1) due to requirement for authenticated access and limited scope, but publicly available exploit code exists. Active exploitation is not confirmed in CISA KEV, and the EPSS score of 0.01% indicates minimal real-world exploitation probability despite public POC availability.
Technical ContextAI
The vulnerability stems from improper input validation and parameterization in a PHP-based web application. The file /admin/add_candidate_modal.php fails to sanitize or use prepared statements when processing the firstname parameter, allowing an attacker to inject arbitrary SQL commands. CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component, 'Injection') classifies this as a second-order injection risk where user input flows directly into SQL queries without parameterization. The application is built on PHP and appears to use a MySQL or similar SQL database backend for candidate management in the voting system.
RemediationAI
No vendor-released patch is currently available from code-projects for Automated Voting System 1.0. Immediate remediation requires input validation hardening: implement parameterized queries (prepared statements) using bound variables in the firstname parameter processing within /admin/add_candidate_modal.php, replacing direct string concatenation into SQL queries. As a compensating control, restrict access to /admin/ paths to a whitelist of trusted IP addresses or require multi-factor authentication for administrative accounts to reduce the likelihood of credential compromise. Monitor database logs for anomalous SQL patterns (UNION, SELECT, OR 1=1) in candidate addition requests. If a patched version becomes available from the vendor, upgrade immediately. Organizations running this voting system should evaluate forking or replacing the software with actively maintained alternatives, as the project appears unmaintained.
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today